Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Multiple GRE interfaces not adding routes properly

June 12, 2017, 9:52 am
$
0
0

I have a single "remote" SRX setup with a pair of GRE/IPSec tunnels, each to a different "hub" SRX gateways (ie 3 SRX boxes in total in this setup).  I'm using GRE so I can send multicast traffic from the remote to both hubs. So, oddly, I can send multicast traffic in one direction over both tunnels, but ping does not work on just one of those tunnels.  The other one is working fine.  From what I can tell, everything is configured identically between the two tunnels on both ends.  

 

On the single SRX with 2 tunnels, I am using gr-0/0/0.0 and gr-0/0/0.1 interfaces.  I even tried swapping the tunnels between the two interface units to see if that would help, but it didn't. I haven't switched the underlying ge or st ports because I don't think that should matter.  

 

From what I can see, the routing table is not being updated for the second tunnel on the remote, even after I switch the gr interface units used.  The tunnel does show as UP, but cannot ping across it.

 

I also tried using gr-0/0/1.0 instead of gr-0/0/0.1 -- then the gre tunnel does not even come up at all (neither up nor down -- just doesn't show up).

 

Any ideas on how to further debug this issue?  

Search

Re: Security Policy source-address-excluded

June 12, 2017, 12:12 pm
$
0
0

Yes that sees to be correct. I had not noticed this feature in security polices before. I have used similar in ACLs which use the word except. 

But go for it and test an IP on a test workstation. Also

BE SURE TO USE: commit confirmed <time_value in minutes>

If you are remote, ask someone on the network whom you can test it with.

Unfortunately I do not know if there is a GUI option to test firewall polices, but I dont know of one from the cli. There is a est policy for routing polices. I think this is a major utility that they do not seem to have considered. But it is extremely useful. I know other security firewalls with a built in utility to test all kinds of security polices.

Re: SRX Route VPN - Random tunnel tear downs

June 12, 2017, 12:32 pm
$
0
0

st_ZERO,  

 

  Did you ever get this resolved?  I am having the exact issue since changing to ikeV2 between my hub and spoke VPNs.

 

Rob.

 

Re: Multiple GRE interfaces not adding routes properly

June 12, 2017, 1:35 pm
$
0
0

Based on your description, I am wondering if the two remote SRX also have a connection with routes between each other?

Perhaps the return path for your traffic is going the wrong direction.

 

In any case, have a look at the active routes for the remote sites on all three SRX.  Confirm that the route into the gre tunnel is the active one you expect right now.

App-Secure

June 12, 2017, 1:52 pm
$
0
0

i have a misunderstanding regard nested application for  sorrow  Smiley Happy

For example in appsecure it keeps saying that facebook and twitter are considerd nested applications inside HTTP 

1-Is that means that each site i visit using my web browser is considered as nested application ????

 

2- what is wrong with that , i mean i can differentiate between facebook and youtube based on IP address even both of them using port 80 ?

 

3-i know this question may be wierd Smiley Happy but why it is keep sayin that facebook is an application like its suppose to exist in L7 in OSI as other application protocols (HTTP, FTP, SMTP, DNS and so on), i mean it is just a web-server ????

Re: Multiple GRE interfaces not adding routes properly

June 12, 2017, 6:14 pm
$
0
0

Hello,

 

So you are saying that IPSec and GRE tunnels are up between Remote site and Two Hubs but with one of the Hubs, ping is unreachable.

Did you get a chance to collect traceoptions for the ping traffic and packet captures for the ESP traffic between remote site and non-working hub?

 

Regards,

 

Rushi

Re: App-Secure

June 12, 2017, 6:44 pm
$
0
0

Hello,

 

1) Not exactly. It depends what you are trying to access.

2) How will you differentiate between a facebook and facebook messenger though both of them use HTTP? Or yahoo and

   yahoo messenger?

 

To differentiate them (facebook from facebook messenger) it is needed to diffentiate Layer 7 into two sub types:-

 

Layer 7 applications &

Layer 7 Protocols

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/services-application-identification-nested-application-overview.html

 

Regards,

 

Rushi

Re: SRX240 only one IPSec tunnel is slow in one direction.

June 12, 2017, 11:12 pm
Search

Re: SRX240 only one IPSec tunnel is slow in one direction.

June 12, 2017, 11:25 pm
$
0
0

Are you using the same host to test VPN performance across multiple tunnels? Which version of iperf you use?

Re: Multiple GRE interfaces not adding routes properly

June 12, 2017, 11:28 pm
$
0
0

Can you share show route from all 3 devices for the GR subnet and Destination IPs

Re: SRX240 only one IPSec tunnel is slow in one direction.

June 13, 2017, 12:03 am
$
0
0

Yes, the same hosts.

 

Iperf 3.1.3-win64

Re: Security Policy source-address-excluded

June 13, 2017, 12:14 am
$
0
0

Hi VMCOps,

 

Did you copy this output from SRX? I dont see an option to specify the Address after "source-address-excluded" command.

 

 

root@srx# ...ock-Access match source-address-excluded ?         
Possible completions:
  <[Enter]>            Execute this command
+ application          Port-based application
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ destination-address  Match destination address
  destination-address-excluded  Exclude destination addresses
+ source-address       Match source address
> source-end-user-profile  Match source end user profile
+ source-identity      Match source identity
  |                    Pipe through a command
[edit]
root@srx#

 

 

Below URL explains how to configure source-address-excluded and I can see its working.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/security-policy-negated-address-configuring.html

 

Step 1. Create address book entry that you need to exclude (It can be zone based or global)

 

set security zones security-zone TRUST address-book address My-PC 10.10.10.1/32

 

Step 2.

 

Create secuirty policy with this address as Source/Destination and include source-address-excluded /destination-address-excluded

 

set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address My-PC
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address-excluded
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match application any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access then deny

 

 

Step 3.

 

Run "show security policy detail" to make sure the address is showing as excluded

 

root@srx> ...from-zone TRUST to-zone UNTRUST detail            
Policy: Block-Access, action-type: deny, State: enabled, Index: 5, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: TRUST, To zone: UNTRUST
  Source addresses(excluded):
    My-PC: 10.10.10.1/32
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

 

 

Re: SRX 550 Boot Problems

June 13, 2017, 12:59 am
$
0
0

Do you have any other working SRX550? If so we can take a snapshot from that device to USB using "request system snapshot media usb" and then use that USB as boot media for the failed SRX.

Re: SRX - MPLS as primary path / IPSEC VPN as secondary path

June 13, 2017, 1:01 am
$
0
0

Is there any reason for using traffic-selectors instead of proxy-ID?

Re: SRX - MPLS as primary path / IPSEC VPN as secondary path

June 13, 2017, 1:14 am
Search

Re: SRX240 cluster with LACP through a Cisco switch

June 13, 2017, 5:35 am
$
0
0

Thanks for your aswer, with these tweaks I managed to get the cluster working. Smiley Happy 

Re: SRX Hacking?

June 13, 2017, 7:07 am
$
0
0

Ok, what about the question about someone trying to access my SRX?

is it normal? it is an attempt of hacking?

 

kind regards.

Re: App-Secure

June 13, 2017, 7:35 am

Re: SRX Hacking?

June 13, 2017, 7:48 am
$
0
0

Hello,

 

If you can identify the IP as trusted which was trying to access the SRX, then it is normal.

If you are not aware about this IP, then it might be an attack.

 

You can configure something like given in the below link to make sure that attempts from untrusted IPs do not even reach this authentication.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265

 

Regards,

 

Rushi

Re: SRX Route VPN - Random tunnel tear downs

June 13, 2017, 8:02 am
$
0
0

My solution was to rollback to IKEv1. Ever since I rolled back to IKEv1 the tunnels have been stable as can be. If using GCM will need to dial that back on P1 IIRC but other than that just remove the "v2-only" config from the gateway config.

Worked with JTAC and they could not figure out the issue either so only solution IMO was to roll it back to the "tried and true" IKEv1.

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>